How do you stop an employee sending a sensitive document through their personal email? Endpoint DLP is supposed to prevent such things, but when going into the details, the products that I've looked at seem to provide little or no protection to this route.
If you have a product to suggest - what technical measures does it use to stop someone opening gmail and uploading the document?
Realize that if I screenshot and/or put into a password-protected zip file, it becomes nearly impossible to apply technical measures to classify and protect as Intellectual Property without going scorched-earth. Therefore, you also need to ensure you have written policy, disciplinary procedures and exec/HR buy-in to cover the cases where employees are actively attempting to bypass the controls.
Given the commonality of briefcases and work-from-home, you also need to decide if printing (at home or at the office) is an acceptable risk.
Also, consider solutions that encrypt the files in a way that they are unusable if accessed on a non-company (e.g. not domain joined) PC (or with an unauthorized account). Then, you no longer need to enumerate all the possible egress methods.
@gidyn wrote:
This just leaves finding an endpoint that can force this kind of proxying.
Most any VPN/remote access software can do this. "Split Tunneling" is a good search term. Split tunneling is the act of sending most stuff to the company and allowing other stuff (e.g. SAAS services) to directly use the home-ISP for performance/capacity reasons. Your goal is to set up split tunneling with most/all Internet destinations "hairpinning" through the company firewall and little to nothing splitting off locally.
A home printer is an example of something that must be "split" if one wants to support it.
@denbesten wrote:
Most any VPN/remote access software can do this.
Most VPN software won't prevent the user from making non-VPN connections. That's what's needed here, prevent them from making any network connections that don't go through the VPN. Or maybe I'm just not familiar enough with what's available?
Based on my experience, you'd have to enforce the use of a proxy via group policy to your company firewall in conjunction with VPN software to prevent any non-vpn connections or Internet access. If your firewall has a built in IPS to provide layer 7 content filtering, that could serve as your filter to prevent email access that's not specifically allow-listed. If it wasn't enforced by a proxy GPO, you'd have to enforce a full tunnel instead of hairpinning to catch all of the traffic but I'm not sure that's possible alone with just the remote access software.
But that's assuming all of your devices are using Windows. The best way I've found for all OS types is via an agent to proxy traffic to a filter and MDM software to enforce device restrictions, e.g., app installs, certs for wireless networks, USB access, etc.
@gidyn wrote:To those advising that I block Gmail or implement network filtering - perhaps I wasn't clear enough in the scenario.
- An employee, who uses a laptop for work, takes it home (or to a public hotspot or wherever), with a sensitive file. Company policy allows this.
- They log into their personal email, which could be Gmail, some boutique provider that you've never heard of, or something they host themselves with old-style web hosting. Nothing on the corporate network or mail gateway can see this.
- They email the sensitive document as an attachment.
Yes, this is a very different set of requirements than those you originally described.
Employees must be allowed to take their laptops home (particularly during pandemics). The only solution I can think of is VDI, which is more overhead than corporate is prepared to invest in.
As I questioned earlier, what value does your company put on their data, what is their assessment of the risks to that data given their current security posture, and how does that translate into a budget to secure that data appropriately?
There are platforms out there that do exactly what you want (e.g. Security Services Edge solutions, or if you don't want cloud-hosted, on-prem NGFWs can deliver SSE capability as well), but they are not inexpensive.
Given what you mentioned about VDI solutions being more overhead than corporate is willing to invest, unfortunately these will likely be out of reach for you, so what security capabilities do you already have to help deliver against your requirements?
BTW - I appreciate this was last updated a year ago, therefore it may not be current, but it shows that VDI is not especially expensive:
I wouldn't personally recommend VDI solutions to deliver against a set of security requirements typically, but it makes me question, is the value of your corporate company's data really lower than ~$29 per user, per month? (Lowest price mentioned for 50 users is $1,433 per month.)
If it isn't, you need to approach your business leaders and look to educate them on core risk management principles, and setting appropriate budgets!
@gidyn wrote:
@denbesten wrote:Most any VPN/remote access software can do this.
Most VPN software won't prevent the user from making non-VPN connections. That's what's needed here, prevent them from making any network connections that don't go through the VPN. Or maybe I'm just not familiar enough with what's available?
I am doing this today with the Gartner "enterprise network firewalls" magic quadrant leader. And "disable split tunneling" was a feature in the other enterprise-grade firewalls we eval'ed. Its fundamental technique is sending default route over the tunnel and preventing users from reconfiguring/disabling the agent. No proxy settings; it works 100% by manipulating the PC's routing table.
That said, I do confess that I have very little knowledge of the SMB markets, so I probably am speaking with "big business" blinders on.
For what it's worth "disable split tunneling" is the magic incantation to use when discussing with your vendor.
It is possible to classify a document as Internal Use Only and restrict access to that document to within the organisation only.
We've used Microsoft technology to do this for a while now but it's important to educate users in the application of the classification scheme.
We can see when the classification has been amended to allow external transfer so there are some detective controls in place too.
Here's a useful starting point to see what is possible:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-azure-rms
https://docs.microsoft.com/en-us/azure/information-protection/rms-client/track-and-revoke-admin
Other products are available which do a similar thing but here are the key things we have in place to reduce the risk:
I hope this helps.
@tmekelburg1and all. Here is a prime example of and good use case of applying Zero Trust Security for protecting users and remote workers.
An ideal migration to for example ZScaler with its capabilities and apply an SASE architecture.
Another approach would be to use Cloud services such as Crowdstrike, but the fact that the user is using using Gmail on a corporate owned system, then you have every right to apply agents to protect the organiation.
Regards
Caute_Cautim